Data protection and startups: what basis do I use under GDPR?

Your Name ·

I’m going to talk about basis for processing under GDPR today because this is where a lot of individuals get confused.

Do NOT mess around with this topic because it will get you into hot water. By now you should know that there are severe penalties under GDPR. It’s not a subject to take lightly.

As I’ve mentioned before, under GDPR, you can’t just process personal data for the hell of it. You have to have a purpose for processing and you have to have a lawful basis for such. A lawful basis is different than a purpose. Think of it this way: the purpose is why you’re going to process data. The basis is the underlying justification for how you’re legally able to process data. It’s the grounds for processing. There are only six available bases for processing. You must pick the basis that’s appropriate for your purpose.

This article is in three parts. The first part tells you when to use which basis. The second part goes over the legitimate interests basis which is one of the more confusing bases for individuals. I’ll end by giving tips on this topic.

If you don’t know what GDPR is, if you don’t know how GDPR works, or if you’re completely confused on this topic read this other article first: GDPR 101: What Startups Need to Know about GDPR

I. WHEN TO USE WHICH BASIS

i. CONSENT BASIS:

Meaning: the data subject has given consent to the processing for one or more specific purpose

Use this when:

  • you can offer someone a genuine choice.

Don’t use this when:

  • you can’t offer the person a genuine choice. If you plan on processing data by using a different basis regardless of what the data subject says and you still ask for consent—that’ll get you in trouble. Asking for consent in that situation is misleading.

  • you’re going to process regardless of if the data subject is going to withdraw consent. In that case you’re not selecting the right basis. Keep in mind that one of the points of consent is that a data subject can withdraw consent as appropriate.

  • you switch to a different basis for processing (from consent to a different basis). In that case requesting consent is not sincere.

ii. CONTRACT BASIS:

Meaning: processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract

Use this when:

  • there’s a contract with the data subject or in anticipation of one (beginning stages of a contract). Keep in mind that it needs to be the data subject that is a party to the contract.

Don’t use this when:

  • if you have a contract with someone to process someone else’s data.

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

iii. LEGAL OBLIGATION BASIS:

Meaning: processing is necessary for compliance with a legal obligation to which the controller is subject;

Use this when:

  • your purpose is to comply with a legal obligation and it’s necessary to process data (think: some law is requiring you to do this or some legal principle). Generally speaking you’re probably not going to be using this basis very much.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

iv. VITAL INTERESTS BASIS:

Meaning: processing is necessary in order to protect the vital interests of the data subject or of another natural person

Use this when:

  • there’s a life or death situation and you need to process data. This one is not difficult to understand.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

v. PUBLIC INTEREST BASIS:

Meaning: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Use this when:

  • you have to do some governmental function or similar.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

vi. LEGITIMATE INTERESTS BASIS:

Meaning: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Use this when:

  • you are able to take full responsibility for justifying your processing.

Don’t use this when:

  • you feel like it’s the broadest basis, and so you select it. It is true that this is the most broad basis out of the six, but there’s also more scrutiny attached with it.

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

II. WHAT IS THE LEGITIMATE INTERESTS BASIS?

This basis is often the most confusing basis for individuals to understand. What is a legitimate interest? This is pretty broad, vague, and has not been fleshed out thoroughly. I suspect this to change in the next few years. You can see Recital 47 for some examples of legitimate interest. When thinking about the legitimate interests basis, consider the following:

i. Can you reach the purpose without processing the data? If yes, then don’t use legitimate interests as a basis.

ii. There are many legitimate interests. GDPR is intentionally broad on this. However, the key consideration is if the general ideas of data protection can still be adhered to. What does this mean? You know all of those principles of GDPR—the goals and objectives of it? You really must consider the principles of data protection as it relates to your interests in processing data. Be careful of just saying “oh I have a legitimate interest so I can process this.” No. It doesn’t work that way. You have to consider data protection as a matter of policy. Don’t play games with this.

iii. Figure out if the need for processing is outweighed by the interests or rights of the data subject. This is not a willy-nilly consideration. You need to really analyze this part.

III. TIPS FOR UNDERSTANDING BASIS UNDER GDPR

  1. Have a basis. You have to process data lawfully and you must have a basis for processing. There are only six available bases that are lawful. So if you don’t have a basis that means that you’re processing data unlawfully.

  2. Difference between PURPOSE and BASIS. Purpose is why you’re processing data; basis is what underlying principle you are using that will allow you to process data.

  3. Purpose first. First thing you should do is decide the purpose for processing data. Then select the basis. This will help you abide by the ideas/principles of purpose limitation.

  4. Know from the get-go. Know what basis you’re going to use before you start processing data. You will need to put the purpose of processing and basis in your documentation. It’s best to know these items from the start. You can change to a different one later, but that may be deemed to be unfair to the data subject. Doing too much bullshit will put you in hot water with regulators.

  5. Put this stuff in your privacy notice. Privacy notice should include the purpose for processing and the lawful basis.

  6. No best basis. There’s no overall best basis or anything like that. There’s just the best basis for the purpose. If one basis fits better than another, that’s fine—go with the better one from the start.

  7. Yes you can switch basis: you can switch basis but you must have a very good reason to do so. The reason you need a good justification for switching is because switching is considered unfair to the individual; so switching comes with increased scrutiny. If you decide to switch make sure you inform the individual. Keep in mind that switching from consent to a different basis is especially frowned down upon as that means that the individual did not have a genuine choice to begin with when giving consent.

  8. Understand what “necessary” means. Some of the bases require that the processing is “necessary”. Be careful about using these bases. And understand what this means. This does not mean that that you can only use these bases if the world is going to end. It’s not that strict. It doesn’t mean that processing has to be completely essential. ICO states that “ . . . it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.”

  9. Applies to Texas startups: as a reminder, GDPR can and does apply to Texas startups. If you’re in Dallas or Houston and you’re doing business activities with EU individuals, or targeting them, etc. then you will need to abide by these rules.

  10. Not all rights apply. As you know, GDPR gives rights to individuals. Note that the basis you select affects what rights are available to the individual. For example, the individual may not have the right to object to processing if the basis is based on contract.

  11. Be careful about legitimate interests. Yes, it’s the broadest principle. If you are considering this basis then make sure you do the proper diligence and make sure you’re able to properly justify using it.

  12. Contact. Shoot me an email if you have any questions on this topic.